This New 'Secure' App for Journalists May Not Be Secure At All

When I started working as a journalist in Colombia in 2006, "What do I do if I get kidnapped?" was a common topic at parties. In fact in 2007, my brother (not a journalist) got kidnapped in a small town outside of Medellín. The Colombian anti-kidnapping squad (GAULA) rescued him.

So let's just say I take an interest in journalist security tools. New apps have the potential to help journalists do their jobs, and stay safe while doing so.

Reporta offers journalists working in dangerous environments a way to check in with editors and other trusted associates. It also includes a “panic button” feature if you are in immediate danger.

The security experts we spoke to were vocal in their criticism of Reporta. The problems start with the fact that the app is closed source, meaning the code isn’t public for review. Counterintuitively, it’s considered more secure to publish your code so that outside developers can help audit it.

"I think this is yet another app claiming security without doing due diligence."

"The problems are manifold," Eleanor Saitta, an independent security researcher who advises many NGOs, including the Freedom of the Press Foundation, wrote in an encrypted email. “They claim to have had audits done, but there are no public audit reports, making it impossible to get any understanding of their code quality or whether they're actually doing anything they claim to be doing."

More worrying, she said, is that Reporta is likely to attract highly sophisticated nation-state hackers. The Reporta FAQ promises data encryption and server security, but the IWMF is a non-technical NGO—is it capable of defending its servers against very savvy attackers? The organization already fails a basic security test: neither its website nor the Reporta homepage use HTTPS by default—a standard precaution that verifies a website is legitimate and encrypts data sent between you and the server. Their email server also appears misconfigured, as emails sent to info@reporta.org and support@reporta.org were returned with the message “connect to reporta.org[65.36.196.39]:25: No route to host.”

Saitta also took issue with Reporta’s privacy policy. “Basically, they collect a large amount of information and their staff have access to all of it, including the content of messages sent through the system and the location of users," she wrote.

According to the privacy policy, the IWMF reserves the right to share this data with a wide variety of third parties, and to respond to subpoenas and court orders from an unspecified number of jurisdictions.

"The latter," Saitta wrote, "is especially problematic, because the entire point of the application is to provide safety for journalists operating in regions where the government may be corrupt and otherwise hostile to freedom of expression."

The icing on the cake? According to the privacy policy, the “IWMF may modify this Privacy Policy at any time and without prior notice to you.”

Other security experts agreed with Saitta's analysis.

“My biggest concern right now is the lack of transparency. Both in terms of code and in terms of business practices,” Runa Sandvik wrote in an email. Sandvik is an independent security researcher who, like Saitta, serves on the Technical Advisory Board of the Freedom of the Press Foundation. "The app was created not just as a panic app, but one that journalists can also use for regular check-ins with notes and photos and videos. Exactly where that data goes, who has access to it, for how long, and so on is not made clear to users."

Jillian C. York, director for international freedom of expression at the EFF, told me via Twitter direct message, "I think this is yet another app claiming security without doing due diligence. It's unfortunate that IWMF didn't reach out to the security community. As for the NGOs that endorsed it, I'm curious to know what their process and involvement looked like." York called out both Article 19 and Global Journalist Security for their involvement with Reporta. “Their endorsements,” she tweeted, “are what really shocked me.”

Motherboard reached out to both organizations for comment. While the Reporta web page thanks those two organizations “for their contributions to Reporta,” Article 19 clarified in an email that “we were consulted on the content of Reporta, but Article 19 have not given it our endorsement.” Global Journalist Security did not respond to our request for comment before publication. Update: Global Journalist Security sent a statement indicating it had raised technical security questions about Reporta early on. In an email statement, a representative wrote that the group supports the project, and added that "Most of [the criticisms] can be resolved, as others have indicated, through greater transparency about the app's security mechanisms and protocols."

The IWMF declined to address these security issues, but sent the following statement by email:

Reporta is designed to be a layer of protection and should be used in conjunction with a reporter's pre-established security protocols.

In creating the app, we consulted with a wide range of stakeholders, including many journalists, and will continue to do so as the app evolves. We also conducted several audits with independent digital security experts and incorporated their guidance into the application.

We are committed to offering a highly useful tool to journalists and maintaining our mission of strengthening the role of journalists worldwide.

Thank you for your feedback, we will take it into account as we continue to work on advancing awareness for the deteriorating security conditions too many journalists face.